/*  JSShield JavaScript Security API, version 0.03
 *  (c) 2007 Matthias Rohr (SecureNet GmbH)
 *
 *  JSShield is freely distributable under the terms of the GNU General Public License (GPL)
 *
/*--------------------------------------------------------------------------*/

var JSShield = new Object();

JSShield.Version: '0.03';

JSShield.Policy = new Object();

JSShield.Policy.AllowScripting			= true;

JSShield.Policy.AllowAlert 				= true;
JSShield.Policy.AllowConfirm			= false;
JSShield.Policy.AllowPopups 			= false;
JSShield.Policy.AllowRedirects 			= false;
JSShield.Policy.AllowXHR				= true;
JSShield.Policy.AllowWrite 				= true;
JSShield.Policy.AllowCreate 			= true;
JSShield.Policy.AllowFraming 			= false;
JSShield.Policy.AllowNameTag 			= false;
JSShield.Policy.AllowIFrames			= true;
JSShield.Policy.AllowExternalIFrames 	= false;
JSShield.Policy.AllowEval 				= false;

JSShield.Policy.DoValidate				= false;
JSShield.Policy.SanitizeOnFailure 		= true;
JSShield.Policy.RedirectOnFailure 		= "";

JSShield.Debug 							= false;

JSShield.signatures = [
	/(alert\S*\()/i,
	/(eval\S*\()/i,
	/(<\S*script)/i,
	/(<\S*\/\S*script)/i,
	/(<\S*iframe\S*)/i,
	/(<\S*\/\S*iframe)/i,
	/(<\S*img\S*)/i,
	/(<\S*\/\S*img)/i,
	/document\S*\./i,
	/(\;\S*\{)/,
	/\'/
];

JSShield.ExtractHostname = function (url) {
		var match = /^https?:\/\/([^\/]*)/.exec(url); 
		if (match) { return match[1]; }
		return "";
}
	
JSShield.AddSignature = function (str) {
	JSShield.signatures.push(str);
}

JSShield.IsForeignFrame = function() {
	return (parent.location.hostname != location.hostname);
}

JSShield.RemoveAllIFrames = function () {	
		var list = document.getElementsByTagName("iframe");
			for (var i = 0; i < list.length; i++) {
			var elem = list[i];

			elem.parentNode.removeChild(elem);
		}
		setTimeout("JSShield.RemoveAllIFrames()",2000);
}
	
JSShield.RemoveExternalIFrames = function () {	
		var list = document.getElementsByTagName("iframe");
			for (var i = 0; i < list.length; i++) {
				var elem = list[i];
				
				var reg = new RegExp( top.document.domain + "$");
				
				if (!reg.test( JSShield.ExtractHostname(elem.src) )) {
					elem.parentNode.removeChild(elem);
				}
		}
		setTimeout("JSShield.RemoveExternalIFrames()",2000);
}

JSShield.DeactivateConfirm= function () {
	try {
		window.confirm = function(a) {};
	}
	catch (err) {}
}


JSShield.DeactivatePopups = function () {
	window.open = function(){}
	var methods = "document".split(",");
	var make_method = function(name){
		window.open.prototype[name] = function(){
			var params = new Array(arguments.length);
			for(var i=0;i<params.length;i++) params[i] = "_"+i;
			return Function(
				params.join(","),
				["return null"].join("")
			).apply(this,arguments);
		}
	};
	for(var i=0;i<methods.length;i++) make_method(methods[i]);
}

JSShield.DeactivateWrite = function () {
	try {
		document.write = function(a) {};
	}
	catch (err) {}
}

JSShield.DeactivateCreate = function () {
	try {
		document.createElement = function(a,b) {};
	}
	catch (err) {}
}

JSShield.DeactivateAlert = function () {
	try {
		window.alert = function(a) {};
	}
	catch (err) {}
}

JSShield.DeactivateXHR = function () {
	XMLHttpRequest = function(){
		var self = this;
		var props = "readyState,responseText,responseXML,status,statusText".split(",");
		this.readyState  = 0;
		this.__request__ = new Object();
		this.__request__.onreadystatechange = function(){
			for(var i=0;i<props.length;i++){
				try{
					self[props[i]] = self.__request__[props[i]]
				}catch(e){
				}
			}
			self.onreadystatechange();
			self.readyState == 4 && self.onload();
		}
		this.onreadystatechange = function(){};
	}
	var methods = "open,abort,send,setRequestHeader,getResponseHeader,getAllResponseHeaders".split(",");
	var make_method = function(name){
		XMLHttpRequest.prototype[name] = function(){
			var params = new Array(arguments.length);
			for(var i=0;i<params.length;i++) params[i] = "_"+i;
			return Function(
				params.join(","),
				["return null"].join("")
			).apply(this,arguments);
		}
	};
	for(var i=0;i<methods.length;i++) make_method(methods[i]);
}

JSShield.DeactivateNameTag= function () {
	window.name = false;
}

JSShield.DeactivateRedirects = function () {
	//window.location = new Object();
}
	
JSShield.DeactivateEval= function () {
	try {
		eval = function(a) {};
	}
	catch (err) {}
}

JSShield.Validate = function (str) {
	
 	for(var i=0; i< JSShield.signatures.length; i++)	{
		var reg1str = JSShield.signatures[i];
       	var reg1 = new RegExp(reg1str);
		var msg = reg1str;
		
		if (reg1.test(unescape(str))) {
			return msg;
		}
	}
	 return "";
}

JSShield.DoValidate = function() {

	var tmparr = new Array();
	
	var i;
	for(i=0; i< JSShield.signatures.length; i++) {
		tmparr[i] = JSShield.signatures[i];
	}
	
	for(i=0, d = tmparr.length; i< JSShield.signatures.length; i++) {
		tmparr[d++] = escape(JSShield.signatures[i]);
	}
	
	var found = false;
	
	var str;
	
	//  preventing XSS via query string
	if (str = JSShield.Validate(window.location.search))
		if ((!JSShield.Debug) || (confirm("XSS Attempt Idenfiied ! \n*** Query: "+unescape(window.location.search)+" \n*** Pattern: +"+str+"\n\nFilter It ?"))) {
			if (JSShield.Policy.SanitizeOnFailure)
				window.location.search="";
				
			found = true;
		}

//	  preventing XSS via name tag
	if (str = JSShield.Validate(name))
		if((!JSShield.Debug) || (confirm("XSS Attempt Idenfiied ! \n*** Name-Tag: "+unescape(name)+" \n*** Pattern: +"+str+"\n\nRedirect ?"))) {
			if (JSShield.Policy.SanitizeOnFailure)
				name = "";
				
			found = true;
		}
		
	if ((found) && (JSShield.Policy.RedirectOnFailure)) {
		window.location.href = JSShield.Policy.RedirectOnFailure
	}
	else {
		return found;
	}
}

JSShield.Activate = function() {	

	if (!JSShield.Policy.AllowScripting) {
		if (JSShield.Policy.RedirectOnFailure != "") {
			window.location = JSShield.Policy.RedirectOnFailure;
		}
		else {
			alert("Please deactivate JavaScript in your browser to use this site");
			window.location = "about:blank";
		}
	}
	
	if ( JSShield.Policy.DoValidate) {
		found = JSShield.DoValidate();
		if ((found) && (JSShield.Policy.RedirectOnFailure)) {
			window.location.href = JSShield.Policy.RedirectOnFailure
		} 
	}
	
	if (!JSShield.Policy.AllowAlert ) {
		JSShield.DeactivateAlert();
	}
	if (!JSShield.Policy.AllowConfirm) {
		JSShield.DeactivateConfirm();
	}
	if (!JSShield.Policy.AllowPopups) {
		JSShield.DeactivatePopups();
	}
	if (!JSShield.Policy.AllowWrite) {
		JSShield.DeactivateWrite();
	}	
	if (!JSShield.Policy.AllowCreate) {
		JSShield.DeactivateCreate();
	}	
	if (!JSShield.Policy.AllowNameTag) {
		JSShield.DeactivateNameTag();
	}	
	if (!JSShield.Policy.AllowXHR) {
		JSShield.DeactivateXHR();
	}	
	if (!JSShield.Policy.AllowIFrames) {
		JSShield.RemoveAllIFrames();
	}	
	else if (! JSShield.Policy.AllowExternalIFrames) {
		JSShield.RemoveExternalIFrames();
	}	
	if (!JSShield.Policy.AllowEval) {
		JSShield.DeactivateEval();
	}	
	if (!JSShield.Policy.AllowRedirects) {
	//	window.location.prototype = new function(a) {};
	}
}
